b'               \xc2\xa0\n\n               \xc2\xa0\n\n               \xc2\xa0     U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n               \xc2\xa0     OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n               \xc2\xa0\n\n               \xc2\xa0\n\n\n\n                     Fiscal Year 2012\n                     Federal Information Security\n                     Management Act Report\n                     Status of EPA\xe2\x80\x99s Computer Security\n                     Program\n\n                     Report No. 13-P-0032                    October 26, 2012\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:                                       Rudolph M. Brevard\n                                                           Cheryl Reid\n                                                           Vincent Campbell\n                                                           Albert Schmidt\n                                                           Nii-Lantei Lamptey\n                                                           Rodney Allison\n                                                           Kyle Denning\n\nAbbreviations\n\nAC            Access Control\nASSERT        Automated System Security Evaluation and Remediation Tracking\nBIA           Business Impact Analysis\nCA            Security Assessment and Authorization\nCIO           Chief Information Officer\nCPIC          Capital Planning and Investment Control\nDSS           Directory Service System\nEPA           U.S. Environmental Protection Agency\nFCD           Federal Continuity Directive\nFDCC          Federal Desktop Core Configurations\nFIPS          Federal Information Processing Standards\nFISMA         Federal Information Security Management Act\nGAO           U.S. Government Accountability Office\nHSPD          Homeland Security Presidential Directive\nIFMS          Integrated Financial Management System\nMOU           Memorandum of Understanding\nNIST          National Institute of Standards and Technology\nOEI           Office of Environmental Information\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nPIV           Personal Identification Verification\nPM            Program Management\nPOA&M         Plan of Action & Milestones\nSA            System and Services Acquisitions\nSIEM          Security Incident and Event Management\nSP            Special Publication\nTT&E          Test, Training, and Exercise\nUSGCB         United States Government Configuration Baseline\nUS-CERT       United States Computer Emergency Readiness Team\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  e-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                              THE INSPECTOR GENERAL\n\n\n\n\n                                        October 26, 2012\n\nMEMORANDUM\n\nSUBJECT:       Fiscal Year 2012 Federal Information Security Management Act Report:\n               Status of EPA\xe2\x80\x99s Computer Security Program\n               Report No. 13-P-0032\n\n\nFROM:          Arthur A. Elkins, Jr.\n\nTO:            Lisa P. Jackson\n               Administrator\n\n\nAttached is the Office of Inspector General\xe2\x80\x99s (OIG\xe2\x80\x99s) Fiscal Year 2012 Federal Information\nSecurity Management Act (FISMA) Reporting Template, as prescribed by the Office of\nManagement and Budget (OMB). We performed this review in accordance with generally\naccepted government auditing standards. These standards require the team to plan and perform\nthe review to obtain sufficient and appropriate evidence to provide a reasonable basis for the\nfindings and conclusions based on the objectives of the review.\n\nWe believe the evidence obtained provides a reasonable basis for our findings and conclusions,\nand in all material respects, meets the FISMA reporting requirements prescribed by OMB. In\naccordance with OMB reporting instructions, I am forwarding this report to you for submission,\nalong with the Agency\xe2\x80\x99s required information, to the Director of OMB.\n\nThe audit work performed during the FISMA review disclosed that the Agency needs to\nmake improvements in the following programs: (1) Continuous Monitoring Management,\n(2) Configuration Management, and (3) Risk Management. The Agency concurred with our\nfindings.\n\nIn addition, audit work during fiscal year 2012 noted significant weaknesses with several aspects\nof EPA\xe2\x80\x99s information security program. Appendix A summarizes the results from these audit\nreports.\n\x0cInspector General                               2012\n                                               Annual FISMA\n                                                  Report\nSection Report\n\n\n\n\n             Environmental Protection Agency\n\x0cSection 1: Continuous Monitoring Management\n1.1      Has the Organization established an enterprise-wide continuous monitoring program that assesses the security state of information systems\n         that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may\n         have been identified by the OIG, does the program include the following attributes:\n          No\n          1.1.1   Documented policies and procedures for continuous monitoring (NIST 800-53: CA-7)\n                  Yes\n          1.1.2   Documented strategy and plans for continuous monitoring (NIST 800-37 Rev 1, Appendix G)\n                  No\n                           Comments:       The Agency finalized a Continuous Monitoring (CM) Strategy in June 2012. However, the Agency has not yet fully\n                                           implemented a plan for CM.\n          1.1.3   Ongoing assessments of security controls (system-specific, hybrid, and common) that have been performed based on the approved\n                  continuous monitoring plans (NIST 800-53, NIST 800-53A)\n                  No\n                           Comments:       The Agency performs assessments of system security controls. However, the Agency is working towards implementing a\n                                           continuous monitoring plan that includes ongoing assessments of security controls.\n          1.1.4   Provides authorizing officials and other key system officials with security status reports covering updates to security plans and security\n                  assessment reports, as well as POA&M additions and updates with the frequency defined in the strategy and/or plans (NIST 800-53,\n                  NIST 800-53A)\n                  Yes\n1.2      Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Continuous Monitoring Management Program that was\n         not noted in the questions above\n          The OIG has issued several reports from Fiscal Years 2011 and 2012 identifying continued weaknesses in the Agency\'s continuous monitoring\n          program.\n                  Comments:      Recently, the OIG reported that the Agency is not conducting follow-up with system owners to confirm that identified vulnerabilities\n                                 have been addressed or request that system owners provide a response or evidence that the vulnerabilities have been addressed.\n\nSection 2: Configuration Management\n\n\n\nOIG Report - Annual 2012                                                                                                                                           Page 1 of 15\n\x0cSection 2: Configuration Management\n2.1      Has the Organization established a security configuration management program that is consistent with FISMA requirements, OMB policy, and\n         applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the\n         following attributes:\n          No\n          2.1.1    Documented policies and procedures for configuration management\n                   Yes\n          2.1.2    Standard baseline configurations defined\n                   Yes\n          2.1.3    Assessing for compliance with baseline configurations\n                   No\n          2.1.4    Process for timely, as specified in Organization policy or standards, remediation of scan result deviations\n                   No\n          2.1.5    For Windows-based components, FDCC/USGCB secure configuration settings fully implemented and any deviations from\n                   FDCC/USGCB baseline settings fully documented\n                   No\n          2.1.6    Documented proposed or actual changes to hardware and software configurations\n                   Yes\n          2.1.7    Process for timely and secure installation of software patches\n                   No\n          2.1.8    Software assessing (scanning) capabilities are fully implemented (NIST 800-53: RA-5, SI-2)\n                   No\n          2.1.9    Configuration-related vulnerabilities, including scan findings, have been remediated in a timely manner, as specified in Organization\n                   policy or standards. (NIST 800-53: CM-4, CM-6, RA-5, SI-2)\n                   No\n          2.1.10   Patch management process is fully developed, as specified in Organization policy or standards. (NIST 800-53: CM-3, SI-2)\n                   No\n\n\n\nOIG Report - Annual 2012                                                                                                                                   Page 2 of 15\n\x0cSection 2: Configuration Management\n2.2      Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Configuration Management Program that was not noted in\n         the questions above.\n          In July 2012, the Government Accountability Office (GAO) issued report "INFORMATION SECURITY: Environmental Protection Agency\n          Needs to Resolve Weaknesses," Report No. GAO-12-696.\n                  Comments:      GAO reported that EPA had not always implemented configuration management controls. Although the Agency has an automated tool\n                                 in place for managing changes, officials could only provide records of approved changes for four of the six systems reviewed.\n                                 Information for the other two systems consisted only of e-mails describing the changes. Change information provided by the system\n                                 owners varied in content, and the Agency-wide configuration management guide did not instruct them on how such records should be\n                                 documented. Further, EPA had not securely configured its networks and databases in accordance with NIST guidance and Web\n                                 applications, and operating systems were not always configured to the most restrictive settings in accordance with NIST guidance.\n                                 Some EPA information systems and network devices were running outdated software that was no longer supported by the\n                                 manufacturer, resulting in EPA being unable to effectively patch them for vulnerabilities.\n\nSection 3: Identity and Access Management\n3.1      Has the Organization established an identity and access management program that is consistent with FISMA requirements, OMB policy, and\n         applicable NIST guidelines and identifies users and network devices? Besides the improvement opportunities that have been identified by the\n         OIG, does the program include the following attributes:\n          Yes\n          3.1.1   Documented policies and procedures for account and identity management (NIST 800-53: AC-1)\n                  Yes\n          3.1.2   Identifies all users, including federal employees, contractors, and others who access Organization systems (NIST 800-53, AC-2)\n                  No\n          3.1.3   Identifies when special access requirements (e.g., multi-factor authentication) are necessary.\n                  Yes\n          3.1.4   If multi-factor authentication is in use, it is linked to the Organization\'s PIV program where appropriate (NIST 800-53, IA-2)\n                  Yes\n\n\n\n\nOIG Report - Annual 2012                                                                                                                                      Page 3 of 15\n\x0cSection 3: Identity and Access Management\n          3.1.5    Organization has adequately planned for implementation of PIV for logical access in accordance with government policies (HSPD 12,\n                   FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11)\n                   Yes\n          3.1.6    Ensures that the users are granted access based on needs and separation of duties principles\n                   Yes\n          3.1.7    Identifies devices with IP addresses that are attached to the network and distinguishes these devices from users (For example: IP\n                   phones, faxes, printers are examples of devices attached to the network that are distinguishable from desktops, laptops or servers that\n                   have user accounts)\n                   Yes\n          3.1.8    Identifies all User and Non-User Accounts (refers to user accounts that are on a system. Examples of non-user accounts are accounts\n                   such as an IP that is set up for printing. Data user accounts are created to pull generic information from a database or a\n                   guest/anonymous account for generic login purposes that are not associated with a single user or a specific group of users)\n                   Yes\n          3.1.9    Ensures that accounts are terminated or deactivated once access is no longer required\n                   No\n          3.1.10   Identifies and controls use of shared accounts\n                   No\n3.2      Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Identity and Access Management Program that was not\n         noted in the questions above.\n          In July 2012, GAO issued report "INFORMATION SECURITY: Environmental Protection Agency Needs to Resolve Weaknesses," Report\n          No. GAO-12-696.\n                   Comments:      GAO reported that (1) EPA did not always protect network boundaries, (2) EPA users were not always properly identified and\n                                  authenticated, (3) authorization controls were not fully implemented, and (4) EPA did not always implement physical controls. The\n                                  OIG also issued a report in September 2012, "EPA Should Improve Management Practices and Security Controls for Its Network\n                                  Directory Service System and Related Servers," Report No. 12-P-0836. OIG reported EPA is not managing key system\n                                  documentation, system administration functions, and the granting and monitoring of privileged accounts of its directory service system\n                                  (DSS). EPA is not performing DSS user account administration practices, and does not have a management oversight process to\n                                  ensure that the regions and program offices are managing their delegated responsibilities in accordance with Agency and federal\n                                  requirements.\n\nOIG Report - Annual 2012                                                                                                                                            Page 4 of 15\n\x0cSection 4: Incident Response and Reporting\n4.1      Has the Organization established an incident response and reporting program that is consistent with FISMA requirements, OMB policy, and\n         applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the\n         following attributes:\n          Yes\n          4.1.1   Documented policies and procedures for detecting, responding to and reporting incidents (NIST 800-53: IR-1)\n                  Yes\n          4.1.2   Comprehensive analysis, validation and documentation of incidents\n                  Yes\n          4.1.3   When applicable, reports to US-CERT within established timeframes (NIST 800-53, 800-61, and OMB M-07-16, M-06-19)\n                  Yes\n          4.1.4   When applicable, reports to law enforcement within established timeframes (SP 800-86)\n                  No\n          4.1.5   Responds to and resolves incidents in a timely manner, as specified in Organization policy or standards, to minimize further damage.\n                  (NIST 800-53, 800-61, and OMB M-07-16, M-06-19)\n                  Yes\n          4.1.6   Is capable of tracking and managing risks in a virtual/cloud environment, if applicable\n                  Yes\n          4.1.7   Is capable of correlating incidents\n                  Yes\n          4.1.8   There is sufficient incident monitoring and detection coverage in accordance with government policies (NIST 800-53, 800-61, and\n                  OMB M-07-16, M-06-19)\n                  Yes\n4.2      Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Incident Management Program that was not noted in the\n         questions above.\n          No additional information reported.\n\nSection 5: Risk Management\n\n\n\nOIG Report - Annual 2012                                                                                                                                 Page 5 of 15\n\x0cSection 5: Risk Management\n5.1      Has the Organization established a risk management program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following\n         attributes:\n          No\n          5.1.1   Documented and centrally accessible policies and procedures for risk management, including descriptions of the roles and\n                  responsibilities of participants in this process\n                  Yes\n          5.1.2   Addresses risk from an organization perspective with the development of a comprehensive governance structure and organization-wide\n                  risk management strategy as described in NIST 800-37, Rev.1\n                  No\n          5.1.3   Addresses risk from a mission and business process perspective and is guided by the risk decisions at the organizational perspective,\n                  as described in NIST 800-37, Rev.1\n                  No\n          5.1.4   Addresses risk from an information system perspective and is guided by the risk decisions at the organizational perspective and the\n                  mission and business perspective, as described in NIST 800-37, Rev. 1\n                  No\n          5.1.5   Categorizes information systems in accordance with government policies\n                  Yes\n          5.1.6   Selects an appropriately tailored set of baseline security controls\n                  Yes\n          5.1.7   Implements the tailored set of baseline security controls and describes how the controls are employed within the information system\n                  and its environment of operation\n                  Yes\n          5.1.8   Assesses the security controls using appropriate assessment procedures to determine the extent to which the controls are\n                  implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for\n                  the system\n                  Yes\n\n\n\nOIG Report - Annual 2012                                                                                                                                  Page 6 of 15\n\x0cSection 5: Risk Management\n          5.1.9    Authorizes information system operation based on a determination of the risk to organizational operations and assets, individuals,\n                   other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable\n                   Yes\n          5.1.10   Ensures information security controls are monitored on an ongoing basis including assessing control effectiveness, documenting\n                   changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting\n                   the security state of the system to designated organizational officials\n                   Yes\n          5.1.11   Information system specific risks (tactical), mission/business specific risks and organizational level (strategic) risks are communicated\n                   to appropriate levels of the organization.\n                   No\n          5.1.12   Senior Officials are briefed on threat activity on a regular basis by appropriate personnel. (e.g., CISO).\n                   No\n          5.1.13   Prescribes the active involvement of information system owners and common control providers, chief information officers, senior\n                   information security officers, authorizing officials, and other roles as applicable in the ongoing management of information\n                   system-related security risks\n                   Yes\n          5.1.14   Security authorization package contains system security plan, security assessment report, and POA&M in accordance with\n                   government policies. (SP 800-18, SP 800-37)\n                   Yes\n          5.1.15   Security authorization package contains Accreditation boundaries for Organization information systems defined in accordance with\n                   government policies.\n                   Yes\n5.2      Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Risk Management Program that was not noted in the\n         questions above.\n          In July 2012, GAO issued report "INFORMATION SECURITY: Environmental Protection Agency Needs to Resolve Weaknesses," Report\n          No. GAO-12-696.\n                   Comments:       GAO reported that EPA did not (1) always effectively encrypt sensitive information, (2) effectively log and monitor system activity,\n                                   (3) always implement media protection controls, and (4) document that system security controls were fully tested. GAO also found\n                                   that System Security Plans referenced outdated policies and procedures.\n\nOIG Report - Annual 2012                                                                                                                                             Page 7 of 15\n\x0cSection 6: Security Training\n6.1      Has the Organization established a security training program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following\n         attributes:\n          Yes\n          6.1.1   Documented policies and procedures for security awareness training (NIST 800-53: AT-1)\n                  Yes\n          6.1.2   Documented policies and procedures for specialized training for users with significant information security responsibilities\n                  Yes\n          6.1.3   Security training content based on the organization and roles, as specified in Organization policy or standards\n                  Yes\n          6.1.4   Identification and tracking of the status of security awareness training for all personnel (including employees, contractors, and other\n                  Organization users) with access privileges that require security awareness training\n                  Yes\n          6.1.5   Identification and tracking of the status of specialized training for all personnel (including employees, contractors, and other\n                  Organization users) with significant information security responsibilities that require specialized training\n                  Yes\n          6.1.6   Training material for security awareness training contains appropriate content for the Organization (SP 800-50, SP 800-53).\n                  Yes\n6.2      Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Security Training Program that was not noted in the\n         questions above.\n          In July 2012, GAO issued report "INFORMATION SECURITY: Environmental Protection Agency Needs to Resolve Weaknesses," Report\n          No. GAO-12-696.\n                  Comments:       GAO reported that the Agency needs to develop and finalize a role-based security training procedure that tailors specific training\n                                  requirements to EPA users\' role/position descriptions and details the actions information security officers must take when users do not\n                                  complete the training.\n\nSection 7: Plan Of Action & Milestones (POA&M)\n\n\n\nOIG Report - Annual 2012                                                                                                                                             Page 8 of 15\n\x0cSection 7: Plan Of Action & Milestones (POA&M)\n7.1      Has the Organization established a POA&M program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines and tracks and monitors known information security weaknesses? Besides the improvement opportunities that may have been\n         identified by the OIG, does the program include the following attributes:\n          Yes\n          7.1.1   Documented policies and procedures for managing IT security weaknesses discovered during security control assessments and\n                  requiring remediation\n                  Yes\n          7.1.2   Tracks, prioritizes and remediates weaknesses\n                  Yes\n          7.1.3   Ensures remediation plans are effective for correcting weaknesses\n                  No\n          7.1.4   Establishes and adheres to milestone remediation dates\n                  Yes\n          7.1.5   Ensures resources are provided for correcting weaknesses\n                  Yes\n          7.1.6   POA&Ms include security weaknesses discovered during assessments of security controls and requiring remediation. (Do not need to\n                  include security weakness due to a Risk Based Decision to not implement a security control) (OMB M-04-25)\n                  No\n          7.1.7   Costs associated with remediating weaknesses are identified (NIST SP 800-53, Rev. 3, Control PM-3 and OMB M-04-25)\n                  Yes\n          7.1.8   Program officials and contractors report progress on remediation to CIO on a regular basis, at least quarterly, and the CIO centrally\n                  tracks, maintains, and independently reviews/validates the POA&M activities at least quarterly (NIST SP 800-53, Rev. 3, Control\n                  CA-5, and OMB M-04-25)\n                  Yes\n\n\n\n\nOIG Report - Annual 2012                                                                                                                                  Page 9 of 15\n\x0cSection 7: Plan Of Action & Milestones (POA&M)\n7.2      Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s POA&M Program that was not noted in the questions\n         above.\n          In July 2012, GAO issued report "INFORMATION SECURITY: Environmental Protection Agency Needs to Resolve Weaknesses," Report\n          No. GAO-12-696.\n                  Comments:      GAO reported that (1) the manner in which the EPA uses the Automated System Security Evaluation and Remediation Tracking\n                                 (ASSERT) tool for POA&Ms can preclude retrieval of specific POA&Ms and pose weaknesses with data reliability because entries\n                                 lacked a specific description of each weakness and did not list the report where the weakness had initially been identified, and (2)\n                                 ASSERT does not have built-in safeguards to keep individuals who have access to POA&Ms from altering initial milestone and\n                                 completion dates.\n\nSection 8: Remote Access Management\n8.1      Has the Organization established a remote access program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following\n         attributes:\n          Yes\n          8.1.1   Documented policies and procedures for authorizing, monitoring, and controlling all methods of remote access (NIST 800-53: AC-1,\n                  AC-17)\n                  Yes\n          8.1.2   Protects against unauthorized connections or subversion of authorized connections.\n                  Yes\n          8.1.3   Users are uniquely identified and authenticated for all access (NIST 800-46, Section 4.2, Section 5.1)\n                  Yes\n          8.1.4   Telecommuting policy is fully developed (NIST 800-46, Section 5.1)\n                  Yes\n          8.1.5   If applicable, multi-factor authentication is required for remote access (NIST 800-46, Section 2.2, Section 3.3)\n                  Yes\n\n\n\n\nOIG Report - Annual 2012                                                                                                                                           Page 10 of 15\n\x0cSection 8: Remote Access Management\n          8.1.6    Authentication mechanisms meet NIST Special Publication 800-63 guidance on remote electronic authentication, including strength\n                   mechanisms\n                   Yes\n          8.1.7    Defines and implements encryption requirements for information transmitted across public networks\n                   Yes\n          8.1.8    Remote access sessions, in accordance to OMB M-07-16, are timed-out after 30 minutes of inactivity after which re-authentication are\n                   required\n                   Yes\n          8.1.9    Lost or stolen devices are disabled and appropriately reported (NIST 800-46, Section 4.3, US-CERT Incident Reporting Guidelines)\n                   Yes\n          8.1.10   Remote access rules of behavior are adequate in accordance with government policies (NIST 800-53, PL-4)\n                   Yes\n          8.1.11   Remote access user agreements are adequate in accordance with government policies (NIST 800-46, Section 5.1, NIST 800-53, PS-6)\n                   Yes\n8.2      Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Remote Access Management that was not noted in the\n         questions above.\n          No additional information reported.\n\nSection 9: Contingency Planning\n9.1      Has the Organization established an enterprise-wide business continuity/disaster recovery program that is consistent with FISMA\n         requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the\n         OIG, does the program include the following attributes:\n          Yes\n          9.1.1    Documented business continuity and disaster recovery policy providing the authority and guidance necessary to reduce the impact of a\n                   disruptive event or disaster (NIST 800-53: CP-1)\n                   Yes\n\n\n\n\nOIG Report - Annual 2012                                                                                                                                  Page 11 of 15\n\x0cSection 9: Contingency Planning\n          9.1.2    The Organization has performed an overall Business Impact Analysis (BIA) (NIST SP 800-34)\n                   No\n          9.1.3    Development and documentation of division, component, and IT infrastructure recovery strategies, plans and procedures (NIST SP\n                   800-34)\n                   Yes\n          9.1.4    Testing of system specific contingency plans\n                   Yes\n          9.1.5    The documented business continuity and disaster recovery plans are in place and can be implemented when necessary (FCD1, NIST\n                   SP 800-34)\n                   Yes\n          9.1.6    Development and fully implementable of test, training, and exercise (TT&E) programs (FCD1, NIST SP 800-34, NIST 800-53)\n                   Yes\n          9.1.7    Performance of regular ongoing testing or exercising of business continuity/disaster recovery plans to determine effectiveness and to\n                   maintain current plans\n                   Yes\n          9.1.8    After-action report that addresses issues identified during contingency/disaster recovery exercises (FCD1, NIST SP 800-34)\n                   Yes\n          9.1.9    Systems that have alternate processing sites (FCD1, NIST SP 800-34, NIST SP 800-53)\n                   Yes\n          9.1.10   Alternate processing sites are subject to the same risks as primary sites (FCD1, NIST SP 800-34, NIST SP 800-53)\n                   No\n          9.1.11   Backups of information that are performed in a timely manner (FCD1, NIST SP 800-34, NIST SP 800-53)\n                   Yes\n          9.1.12   Contingency planning that consider supply chain threats\n                   No\n\n\n\n\nOIG Report - Annual 2012                                                                                                                                   Page 12 of 15\n\x0cSection 9: Contingency Planning\n9.2      Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Contingency Planning Program that was not noted in the\n         questions above.\n          In July 2012, GAO issued report "INFORMATION SECURITY: Environmental Protection Agency Needs to Resolve Weaknesses," Report\n          No. GAO-12-696.\n                   Comments:      GAO reported that (1) the Agency did not follow its own procedures or NIST guidance for approving contingency plans, reviewing\n                                  them annually, and updating them as necessary; (2) EPA did not provide clear evidence that contingency plans were included in\n                                  certification and authorization packages or evidence of having had an annual review; and (3) among the six plans reviewed, five did not\n                                  provide full contact information for some staff listed, giving only office telephone numbers and e-mail addresses or, in some cases,\n                                  office numbers alone.\n\nSection 10: Contractor Systems\n10.1     Has the Organization established a program to oversee systems operated on its behalf by contractors or other entities, including Organization\n         systems and services residing in the cloud external to the Organization? Besides the improvement opportunities that may have been identified\n         by the OIG, does the program includes the following attributes:\n          Yes\n          10.1.1   Documented policies and procedures for information security oversight of systems operated on the Organization\'s behalf by\n                   contractors or other entities, including Organization systems and services residing in public cloud\n                   Yes\n          10.1.2   The Organization obtains sufficient assurance that security controls of such systems and services are effectively implemented and\n                   comply with federal and Organization guidelines\n                   Yes\n          10.1.3   A complete inventory of systems operated on the Organization\'s behalf by contractors or other entities, including Organization systems\n                   and services residing in public cloud\n                   Yes\n          10.1.4   The inventory identifies interfaces between these systems and Organization-operated systems (NIST 800-53: PM-5)\n                   Yes\n\n\n\n\nOIG Report - Annual 2012                                                                                                                                           Page 13 of 15\n\x0cSection 10: Contractor Systems\n          10.1.5   The Organization requires appropriate agreements (e.g., MOUs, Interconnection Security Agreements, contracts, etc.) for interfaces\n                   between these systems and those that it owns and operates\n                   Yes\n          10.1.6   The inventory of contractor systems is updated at least annually.\n                   Yes\n          10.1.7   Systems that are owned or operated by contractors or entities, including Organization systems and services residing in public cloud,\n                   are compliant with FISMA requirements, OMB policy, and applicable NIST guidelines\n                   Yes\n10.2     Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Contractor Systems Program that was not noted in the\n         questions above.\n          In July 2012, GAO issued report "INFORMATION SECURITY: Environmental Protection Agency Needs to Resolve Weaknesses," Report\n          No. GAO-12-696.\n                   Comments:      GAO reported that the Agency did not properly ensure that its inventory of information systems, including those systems operated by\n                                  contractors, was accurate.\n\nSection 11: Security Capital Planning\n11.1     Has the Organization established a security capital planning and investment program for information security? Besides the improvement\n         opportunities that may have been identified by the OIG, does the program include the following attributes:\n          Yes\n          11.1.1   Documented policies and procedures to address information security in the capital planning and investment control (CPIC) process\n                   Yes\n          11.1.2   Includes information security requirements as part of the capital planning and investment process\n                   Yes\n          11.1.3   Establishes a discrete line item for information security in organizational programming and documentation (NIST 800-53: SA-2)\n                   Yes\n          11.1.4   Employs a business case/Exhibit 300/Exhibit 53 to record the information security resources required (NIST 800-53: PM-3)\n                   Yes\n\n\n\nOIG Report - Annual 2012                                                                                                                                         Page 14 of 15\n\x0cSection 11: Security Capital Planning\n          11.1.5   Ensures that information security resources are available for expenditure as planned\n                   Yes\n11.2     Please provide any additional information on the effectiveness of the Organization\xe2\x80\x99s Security Capital Planning Program that was not noted in\n         the questions above.\n          No additional information reported.\n\n\n\n\nOIG Report - Annual 2012                                                                                                                                Page 15 of 15\n\x0c                                                                                   Appendix A\n\n            Summary of Significant Fiscal Year 2012\n                  Security Control Audits\nDuring fiscal year 2012, the EPA OIG published a number of audit reports on EPA\xe2\x80\x99s information\ntechnology security program and information systems. The following summarizes key findings:\n\n1. Improvements Needed in EPA\xe2\x80\x99s Network Security Monitoring Program, Report No.\n   12-P-0899, September 27, 2012.\n\n  EPA\xe2\x80\x99s deployment of a Security Incident and Event Management (SIEM) tool did not comply\n  with EPA\xe2\x80\x99s system life cycle management procedures, which require planning project activities\n  to include resources needed, schedules, and structured training sessions. EPA did not develop a\n  comprehensive deployment strategy for the SIEM tool to incorporate all of EPA\xe2\x80\x99s offices or a\n  formal training program on how to use the tool. EPA does not have a computer security log\n  management policy consistent with federal requirements. While EPA has a policy governing\n  minimum system auditing activities to be logged, EPA has yet to define a policy for audit log\n  storage and disposal requirements along with log management roles and responsibilities. EPA\n  did not follow up with staff to confirm whether corrective actions were taken to address known\n  information security weaknesses. EPA had not taken steps to address weaknesses identified\n  from internal reviews as required. The Agency concurred with our recommendations.\n\n2. EPA\xe2\x80\x99s Office of Environmental Information Should Improve Ariel Rios and Potomac Yard\n   Computer Room Security Controls, Report No. 12-P-0879, September 26, 2012.\n\n  The security posture and in-place environmental control review of the computer rooms in the\n  Ariel Rios and Potomac Yard buildings revealed numerous security and environmental control\n  deficiencies. These control deficiencies greatly reduce the ability of the Office of\n  Environmental Information (OEI) to safeguard critical information technology assets and\n  associated data from the risk of damage and/or loss. The Agency agreed with two\n  recommendations and disagreed with three other recommendations. OEI disagreed because it\n  asserts that the Office of Administration and Resources Management bears responsibility for\n  remediation for two of the recommendations, and for the other recommendation it stated that\n  it is already monitoring environmental variable information. During the audit, the OIG\n  requested policies and procedures that address limiting water damage to IT assets. OEI did\n  not provide any documentation in response to this request and the OIG concluded that such\n  policies did not exist. The OIG believes that OEI bears the responsibility for addressing these\n  recommendations because OEI is responsible for managing IT assets in the Ariel Rios and\n  Potomac Yard computer rooms.\n\n3. EPA\xe2\x80\x99s Radiation and Indoor Environments National Laboratory Should Improve Its\n   Computer Room Security Controls, Report No. 12-P-0847, September 21, 2012.\n\n  Our review of the security posture and in-place environmental controls of EPA\xe2\x80\x99s Radiation\n  and Indoor Environments National Laboratory computer room disclosed an array of security\n\x0c  and environmental control deficiencies. These deficiencies greatly hinder the ability of the\n  Office of Air and Radiation to safeguard critical information technology assets and associated\n  data from the risk of damage and/or loss. The Agency concurred with our recommendations.\n\n4. EPA Should Improve Management Practices and Security Controls for Its Network\n   Directory Service System and Related Servers, Report No. 12-P-0836, September 20, 2012.\n\n  OEI is not managing key system management documentation, system administration\n  functions, the granting and monitoring of privileged accounts, and the application of\n  environmental and physical security controls associated with its directory service system\n  (DSS). OEI is not keeping management documentation associated with the DSS current and\n  complete, and does not have an effective process for maintaining this documentation. Further,\n  OEI is not performing user account administration practices for the DSS, and does not have a\n  management oversight process to ensure that the regions and program offices are managing\n  their delegated responsibilities in accordance with Agency and federal requirements. The\n  Office of Administration and Resources Management\xe2\x80\x99s Human Resources and Contractor\n  Management systems and processes are not linked to the user account management function.\n  OEI is also not managing the delegation of DSS logging and monitoring processes.\n  OEI and the Office of Administration and Resources Management concurred with all\n  recommendations, other than two associated with environmental and physical security\n  controls, and completed or agreed to take corrective actions to address the recommendations\n  with which they concurred. OEI indicated that the particular physical and environmental\n  controls are not its responsibility. We disagree. The DSS Authentication and Authorization\n  servers belong to OEI, which is responsible for managing this equipment. Therefore, OEI\n  needs to ensure that these controls are in place.\n\n5. EPA Did Not Properly Migrate General Ledger Balances to Compass From the Integrated\n   Financial Management System, Report No. 12-P-0559, July 9, 2012.\n\n  EPA did not properly migrate general ledger balances to Compass from the Integrated\n  Financial Management System. We found differences in certain fiscal year 2012 beginning\n  balances, abnormal balances, and Agency adjustments to beginning balances. The Federal\n  Managers\xe2\x80\x99 Financial Integrity Act requires agencies to provide reasonable assurance that\n  accounts are properly recorded and accounted for to ensure reliability of financial reporting.\n  The errors we found are indicators of internal control and oversight weaknesses in the\n  migration of balances. The Agency stated it has taken corrective actions and will provide\n  supporting documentation.\n\n6. EPA Data Standards Plan Completed but Additional Steps Are Needed, Report No.\n   12-P-0519, June 5, 2012.\n\n  Although EPA completed the steps listed in its corrective action plan to close out the Agency-\n  level weakness on data standards, the actions taken were either incomplete or lacked steps to\n  help management determine the overall effectiveness of the Agency\xe2\x80\x99s implementation of data\n  standards. In particular, we determined that EPA developed a data standards training program.\n  However, management took no steps to identify who needed the training, track whether the\n  appropriate personnel took the training, or obtain feedback from staff on the training to\n\x0c  ascertain the training\xe2\x80\x99s effectiveness. Further, we determined that EPA created data standards\n  report cards. However, these report cards are inaccurate because EPA offices did not update\n  the system used to create the report cards. Also, the report card format is such that\n  management could not clearly see whether individual offices were in compliance with data\n  standards. Also, we determined that EPA completed two conformance reviews to determine\n  system compliance with the data standards. However, management made no plans to conduct\n  additional reviews. The Agency agreed with the recommendations.\n\n7. Office of Environmental Information Should Strengthen Controls Over Mobile Devices,\n   Report No. 12-P-0427, April 25, 2012.\n\n  OEI has no organization-wide standard operating procedures that explain responsibilities for\n  OEI employees and contractors regarding mobile devices. OEI currently does not have\n  effective controls for the five areas of concern noted in the hotline complaint: issuance,\n  disconnection, multiple devices, inappropriate use, and tracking and recovery. OEI has also\n  not established controls to determine when to disconnect devices; over a 6-month period in\n  2011, 68 OEI employees had zero usage of their mobile devices but incurred costs of about\n  $29,360. Finally, procedures and controls for tracking and recovering mobile devices are\n  missing or ineffective. OEI concurred with the majority of our recommendations and\n  described planned actions to address our recommendations. Our recommendations remain\n  open pending OEI\xe2\x80\x99s corrective action plan with milestone dates, as well as additional\n  specificity from OEI on monitoring inappropriate device usage.\n\n8. Technical Vulnerability Assessments\n\n  As part of the fiscal year 2012 FISMA audit, the OIG issued a series of network vulnerability\n  reports to EPA offices to address high-risk and medium-risk vulnerabilities. The OIG met\n  with EPA information security personnel to discuss the findings. If not resolved, these\n  vulnerabilities could expose EPA\xe2\x80\x99s assets to unauthorized access and potentially harm the\n  Agency\xe2\x80\x99s network.\n\n      \xef\x82\xb7   Results of Technical Network Vulnerability Assessment: EPA\xe2\x80\x99s National Vehicle and\n          Fuel Emissions Laboratory, Report No. 12-P-0900, September 27, 2012.\n      \xef\x82\xb7   Results of Technical Network Vulnerability Assessment: EPA\xe2\x80\x99s Region 6, Report No.\n          12-P-0659, August 10, 2012.\n      \xef\x82\xb7   Results of Technical Network Vulnerability Assessment: EPA\xe2\x80\x99s Region 1, Report No.\n          12-P-0518, June 5, 2012.\n      \xef\x82\xb7   Region 10 Technical and Computer Room Security Vulnerabilities Increase Risk to\n          EPA\xe2\x80\x99s Network, Report No. 12-P-0220, January 20, 2012.\n\x0c                                                                                Appendix B\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nDeputy Assistant Administrator for Environmental Information\nDirector, Office of Technology Operations and Planning, Office of Environmental Information\nSenior Agency Information Security Officer, Office of Environmental Information\nDirector, Technology and Information Security Staff, Office of Environmental Information\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Information\nAudit Follow-Up Coordinator, Office of Environmental Information\n\x0c'